Database Revision Control
Database Revision Control gives the administrator the freedom to create fallback configurations when implementing new objects and rules and objects as networks change. This can help the administrator test new Rule Base and object configurations, or can be used to revert to an earlier configuration for troubleshooting.
Consider these points when saving your Policies:
* The database version consists of all Policies on a single Gateway, and objects and users configured, including settings in SmartDefense and Global Properties.
* It is an ideal management utility for a stand-alone or distributed deployment with a Single Gateway.
* It is configurable to automatically create new database versions on Policy installation.
To help in my troubleshooting, I’ve allowed ICMP under Edit Global Properties (click on the wrench and screwdriver icon).
To merge policies, copy the policies (hold Ctrl and click on the rules) on Branch-SG2-Policy and paste it to Policy1 by going to Launch Menu > File > Open and choose Policy1.
Database Revision Control gives the administrator the freedom to create fallback configurations when implementing new objects and rules and objects as networks change. This can help the administrator test new Rule Base and object configurations, or can be used to revert to an earlier configuration for troubleshooting.
Consider these points when saving your Policies:
* The database version consists of all Policies on a single Gateway, and objects and users configured, including settings in SmartDefense and Global Properties.
* It is an ideal management utility for a stand-alone or distributed deployment with a Single Gateway.
* It is configurable to automatically create new database versions on Policy installation.
To help in my troubleshooting, I’ve allowed ICMP under Edit Global Properties (click on the wrench and screwdriver icon).
Create a static NAT rule for the Secure Management
Server (SMS) using the external IP 192.168.1.25 by double-click on the SMS Network Object and go to NAT section. Tick the Apply for Security Gateway
control connections in order to use the NAT’d IP 192.168.1.25 when managing
other Security Gateway on the outside network (CP-SG2 in this case).
There’s only one Security Gateway to install the
policy.
Add a new Security Gateway by doing a right-click on
Network Object > Check Point > Security Gateway/Management and choose
Wizard Mode (last time Classic Mode was chosen).
Type the one-time or SIC password (same password on the SMS)
and it will automatically retrieve the Security Gateway’s active interfaces.
Create a new policy for the Branch Security Gateway by going
to the Launch Menu > File > New.
Add new rules and create a Network Object for the Branch Inside network 10.2.2.0/24 by doing a right-click on Network > Network… Also create
a Hide NAT using the Security Gateway 2’s external IP 192.168.1.222 and install this rule only on Branch-SG2.
Save and click on Install Policy. De-select the HQ-SG1
to just install the policy on Branch-SG2.
You can change and save the default behavior of
installing Branch-SG2-Policy package by clicking on Select Targets > choose
Specific Security Gateway > click on Branch-SG2 > click Add > and OK.
Verify on the Security Gateway CLI via the fw
stat command.
Create a database version and backup the
network objects and rules for the new policy by going to Install Policy >
Advanced > Revision Control > tick Create database version.
Alternatively, create and manage multiple database
version by going to Launch Menu > File > Database Revision Control >
click Create. You can optionally tick Keep this version from being deleted
automatically. This is to prevent an overwrite by the newer database version.
You can automatically create a new database version every
time there’s a new policy installed by ticking on Create a new database version
upon Installation operation.
You can also change the behavior of keeping copies the old
database versions by ticking on Automatically delete old versions and click
Configure. You can choose either to keep certain number of database version or
purge them after certain number of days. For this example I chose Delete
versions older than: 5 versions, which only keeps 5 database versions.
You can restore or perform a rollback to a certain database version
by clicking on the database version number you want, click on Action and choose
Restore Version.
To merge policies, copy the policies (hold Ctrl and click on the rules) on Branch-SG2-Policy and paste it to Policy1 by going to Launch Menu > File > Open and choose Policy1.
You can highlight a rule, do a right-click and Add a Section
Title to put comments to easily identify a rule.
Give the policy a new name (no space allowed) by going to Launch
Menu > File > Save As (for this case I gave the name Merged-Policy).
If there’s a currently policy package installed on a
Security Gateway, SmartDashboard will prompt us if we want to proceed pushing
the policy.
I was only able to initially ping Google DNS IP
8.8.8.8 from Branch PC2 but I can’t go to any website due to no policy created on
Branch CP-SG2 to implicitly allow Branch users to go out to Any destination. I
was able to surf the web after creating the said rule and pushed it to the Security
Gateway.
I deleted
some of the network object and rules and in order to revert to a previous database version, go to Launch Menu > File >
Database Revision Control >Select Version 4 (Merged-Policy) > click
Action > choose Restore Version.
You can optionally choose to create a backup of the database
version of the current policy package with the missing network objects and
rules. Finally, click Restore.
The SmartDashboard will auto close and will auto
re-connect to the SMS together with the restored Merged-Policy database version.
Click save and push again the policy by clicking on the Install
Policy icon.
Verify on both the Security Gateway and do some web
surfing on HQ PC and Branch PC.
HQ PC:
Branch PC:
No comments:
Post a Comment